CVE-2023-39957 HIGH

CVE-2023-39957: Path traversal allows tricking the Talk Android app into writing files into it's root directory

Vendor Nextcloud
Product security-advisories
Weakness CWE-22 · Path traversal
Published August 10, 2023
Last update October 4, 2024

CVSS base score

7.2/10
Attack vector Local
Attack complexity High
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Nextcloud Talk Android allows users to place video and audio calls through Nextcloud on Android. Prior to version 17.0.0, an unprotected intend allowed malicious third party apps to trick the Talk Android app into writing files outside of its intended cache directory. Nextcloud Talk Android version 17.0.0 has a patch for this issue. No known workarounds are available.

Key dates

02Disclosure timeline

August 10, 2023 CVE published
October 4, 2024 Record updated